Skip to content

fix(api): redact sensitive headers from webhook delivery records#3988

Merged
mmabrouk merged 1 commit intofix/shady-webhooksfrom
fix/redact-webhook-delivery-secrets
Mar 13, 2026
Merged

fix(api): redact sensitive headers from webhook delivery records#3988
mmabrouk merged 1 commit intofix/shady-webhooksfrom
fix/redact-webhook-delivery-secrets

Conversation

@mmabrouk
Copy link
Member

@mmabrouk mmabrouk commented Mar 13, 2026
edited by devin-ai-integration bot
Loading

Summary

  • Webhook delivery records were persisting Authorization tokens and X-Agenta-Signature HMAC values in plaintext in the data.headers JSON column
  • Delivery records are audit logs — they should never contain secrets
  • This adds a _redact_headers() step that replaces sensitive header values with [REDACTED] before the delivery is stored in the database
  • The actual HTTP request still uses the full unredacted headers — only the persisted copy is sanitized

Details

When auth_mode=authorization, the decrypted signing secret was stored verbatim in data.headers.Authorization. When auth_mode=signature, the HMAC signature was stored in data.headers.X-Agenta-Signature. Both were then returned by the delivery query API and visible in any delivery log viewer.

The fix is minimal: after merging headers for the HTTP request, a redacted copy is stored in base_data.headers (used for DB persistence), while the original request_headers continues to be used for the actual HTTP call.

Open with Devin

@mmabrouk
fix(api): redact sensitive headers from webhook delivery records
3c75920 
Authorization tokens and HMAC signatures were being stored in plaintext
in the delivery data.headers field, which is persisted to the database
and returned via the delivery query API.

Delivery records are audit logs — they should never contain secrets.
The actual HTTP request still uses the full unredacted headers; only the
stored copy is sanitized.
@vercel
Copy link

vercel bot commented Mar 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agenta-documentation Ready Ready Preview, Comment Mar 13, 2026 2:59pm

Request Review

@mmabrouk mmabrouk requested a review from jp-agenta March 13, 2026 14:59
devin-ai-integration[bot]
devin-ai-integration bot reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

Open in Devin Review

@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026
edited
Loading

Railway Preview Environment
Status Destroyed (PR closed)

Updated at 2026-03-13T15:40:14.224Z

@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. Backend bug Something isn't working lgtm This PR has been approved by a maintainer labels Mar 13, 2026
@mmabrouk mmabrouk merged commit e953daa into fix/shady-webhooks Mar 13, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@jp-agenta jp-agenta jp-agenta approved these changes

Assignees

No one assigned

Labels

Backend bug Something isn't working lgtm This PR has been approved by a maintainer size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mmabrouk @jp-agenta